- 09 Oct 2024
- 7 Minutes to read
- PDF
Integrate Microsoft Azure with Red Canary
- Updated on 09 Oct 2024
- 7 Minutes to read
- PDF
Integrating Microsoft Azure with Red Canary enhances cloud security by providing advanced threat detection and response capabilities. This integration allows organizations to gain deeper visibility into cloud environments, identify and prioritize critical threats, and accelerate incident response times, ultimately reducing the risk of data breaches and downtime. To integrate Microsoft Azure with Red Canary, follow the procedure below from beginning to end. Once all steps are completed successfully, the data should be flowing successfully into Red Canary within 4 hours or less.
Prerequisites
Ensure you are subscribed to Red Canary's Cloud Control Planes license.
You must have Azure Global Admin rights.
Enable “Access management for Azure resources” for your Azure Global Admin account.
Users performing integration steps need the Owner role on the management group. To grant this, use the command below (permissions can be revoked after validation):
az role assignment create --assignee <User ID> --scope "/" --role "Owner"
Enable Management Groups for your Azure directory.
Ensure Azure Lighthouse is enabled.
Have the following ready:
Note: You may experience a potential increase in Azure costs depending on the volume of new logs exported to your Log Analytics workspace as part of the MDR for Azure integration.
Affected Logs: Log Analytics Workspace, Log Analytics Data Export, Platform Logs (Storage Diagnostic Settings)
For more information, see Pricing - Azure Monitor
Azure Region Support:
Microsoft Azure’s region
uaenorth
does not currently support Premium Event Hubs. The impact of this is that Red Canary currently cannot process telemetry or alerts from infrastructure in theuaenorth
Azure region. This is expected to continue at least through October 2024.
Step 1: Setup the Azure infrastructure
Download the Red Canary Bicep file and upload it to your Azure Cloud Shell.
From your Red Canary homepage, click Microsoft Azure.
Enter a name for your new Microsoft Azure integration.
Click Red Canary Bicep File to download the required file. You’ll use this in a later step.
Copy and then save the command below. You’ll use this in a later step.
Note: For the <TenantId> below, enter your Azure Tenant ID.
az deployment mg create --name 'RCLogIngestPolicy' \ --location eastus \ --template-file RedCanary.bicep \ --management-group-id <TenantId>
Microsoft AzureFrom your Microsoft Azure homepage, click Cloud Shell.
From the Cloud Shell dropdown, select Bash.
Click Upload File.
Click Upload.
Select the Red Canary Bicep File you downloaded in Step 1.4.
From the Cloud Shell command, paste and then run the command from Step 1.5.
Red CanarySelect I’ve deployed the Bicep file.
Copy the entire command below and then save the command. You’ll use this in a later step.
az account list --query "[].id" \ --out tsv | xargs -I {} -P 10 az policy remediation \ create --name RCLogConfigurationAccessDeploy --policy-assignment RCLogConfigurationAccess \ --resource-discovery-mode ReEvaluateCompliance --subscription "{}" az account list --query "[].id" \ --out tsv | xargs -I {} -P 10 az policy remediation \ create --name RCAutomationRgDeploy --policy-assignment RCAutomationRg \ --resource-discovery-mode ReEvaluateCompliance --subscription "{}"
Microsoft AzureFrom the Cloud Shell command, paste and then run the entire command from the step above.
Note: This command runs a remediation to apply the diagnostic setting policies to all existing subscriptions.
Red CanarySelect I’ve Connected my existing subscriptions.
Click Next.
Step 2: Configure an Azure Log Analytics workspace to collect Entra ID logs
For Red Canary to start receiving your telemetry, you must send your data from your environment to an Azure log analytics workspace.
Note: If you already have an Azure log analytics workspace ingesting logs, including ADFSSignInLogs, AuditLogs, ManagedIdentitySignInLogs, ServicePrincipalRiskEvents, ServicePrincipalSignInLogs, SignInLogs, and UserRiskEvents, select I already have a Log Analytics workspace set up and continue on to Step 2.20.
Select I need to set up a Log Analytics workspace.
Microsoft AzureLogin to Microsoft Azure using a Global Admin account for the tenant that you want to integrate with Red Canary.
In the search bar, type and then select Resource groups.
Click +Create.
From the Subscription dropdown, select the subscription which you would like to house your Azure Log Analytics Workspace.
Enter a Resource Group name.
(Example: Red_Canary_Resources)
From the Region dropdown, select your local region.
Click Next: Tags >.
Click Next: Review + create >.
Click Create
In the search bar, type and then select Log Analytics workspaces.
Click +Create.
From the Subscription dropdown, select the subscription you want associated with this workspace.
From the Resource group dropdown, select the Resource group created in Step 2.6.
Enter a name for the Instance details.
(Example: Red_Canary_Log_Analytic_workspace)
From the Region dropdown, select your local region.
Click Next: Tags >.
Click Next: Review + create >.
Click Create.
Red Canary
Select I’ve completed creating the Log Analytics workspace.
Note: If you already have a Log Analytics workspace to collect Entra ID logs, select I already have a Log Analytics workspace setup to collect Entra ID logs, and then click Next to continue on with Step 3.
Select I need to configure my Log Analytics workspace to collect Entra ID logs.
Microsoft EntraLogin to Microsoft Entra using a Security Admin account.
In the search bar, type and then select Microsoft Entra ID.
From the Monitoring section, click Diagnostic settings.
Click + Add diagnostic setting.
Enter a name for your diagnostic setting.
From the Categories section, select the following:
ADFSSignInLogs
AuditLogs
ManagedIdentitySignInLogs
ServicePrincipalRiskEvents
ServicePrincipalSignInLogs
SignInLogs
UserRiskEvents
From the Destination details section, select Send to Log Analytics workspace.
From the Subscription dropdown, select the subscription you want associated with this Diagnostic setting.
From the Log Analytics workspace dropdown, select the workspace from Step 2.15.
Click Save.
Red Canary
Select I’ve completed configuring my Log Analytics workspace to collect Entra ID logs.
Click Next.
Step 3: Configure Red Canary to integrate with your Azure Tenant
Enter the Azure Tenant ID.
Microsoft AzureTo find the Tenant ID, log into Microsoft Azure.
In the search bar, type and then select Tenant Properties.
Copy and then paste the Tenant ID into Red Canary.
Red CanaryEnter the Log analytics Workspace ID.
Microsoft AzureTo find the Log analytics Workspace ID, log into Microsoft Azure.
In the search bar, type and then select Log Analytics workspace.
Click the workspace that was created in Step 2.15.
Click Properties.
Copy and then paste the Resource ID into Red Canary.
Red CanaryClick Save.
Note: Red Canary will now begin provisioning your resources. This could take up to 20 minutes. The integration status will show Provisioning during this time. It will update to Active once completed.
Step 4: Utilize Entra ID Response Actions
Follow the steps in Response Actions for Entra ID to enable automated playbooks, configured in Red Canary, to take action in Entra ID.
Remove Microsoft Azure from Red Canary
Step 1: Red Canary–Remove Microsoft Azure from Red Canary’s Integration page
From your Red Canary homepage, click Integrations.
Locate and then click the Microsoft Azure integration you want to remove.
Click the icon.
Click OK.
Step 2: Microsoft Azure–Run the Red Canary provided script
From your Microsoft Azure homepage, click Cloud Shell.
From the Cloud Shell dropdown, select Bash.
Click Upload File.
Click Upload.
Select and upload the Red Canary provided script located here.
Note: This automated script will remove the Azure resources created during onboarding. These resources include two Azure Policies: Red Canary's role assignments to access the Subscriptions in your Management Group and a Resource Group created for exporting Microsoft Defender for Cloud alert data.
From the Cloud Shell command, enter the ls command to confirm the script file appears in the output.
Use the following command to grant execution permissions to the script file:
chmod +x remove-azure-integration.sh
Execute the script file:
./remove-azure-integration.sh AZURE_TENANT_ID
Step 3: Microsoft Azure–Remove the Log Analytics Data Export rule for Microsoft Entra ID
From the Cloud Shell command, enter the code below:
Note: For the log-analytics-workspace-name, subscription-id, and resource-group-name below, enter your Azure related info.
az monitor log-analytics workspace data-export delete --name RC-Entra-Data-Export \ --workspace-name log-analytics-workspace-name --subscription subscription-id \ --resource-group resource-group-name --yes
log-analytics-workspace-name: The name of the Log Analytics Workspace used for the integration.
subscription-id: The ID of the Subscription containing the Log Analytics Workspace.
resource-group-name: The name of the Resource Group containing the Log Analytics Workspace.
Ingest Details
Red Canary ingests Azure Activity Logs and Defender for Cloud Alerts from Azure environments. Additionally, Red Canary integrates with Azure to scan the environment regularly to discover new subscriptions and resources.
Red Canary collects three different types of logs from Azure:
Azure Entra ID Logs are collected for the entire tenant and your subscriptions. These logs include:
ADFSSignInLogs
AuditLogs
ManagedIdentitySignInLogs
NonInteractiveUserSignInLogs
ServicePrincipalRiskEvents
ServicePrincipalSignInLogs
SignInLogs
UserRiskEvents
Azure Activity Logs are management and control plane data collected at the subscription level. These logs include:
AzureActivity
Azure Resource Logs are logs generated by activity on a specific resource collected at the subscription level. These logs include:
StorageLogs
KeyVaultActivityLogs
In addition, Red Canary collects Azure Defender for Cloud Alerts. When Defender for Cloud is enabled on a subscription, each Azure subscription produces its own Defender for Cloud Alerts. Red Canary then collects the Defender for Cloud alerts across an Azure environment and associates those alerts with the source subscription.
For more information on how data is transferred from an Azure environment to Red Canary, see How Microsoft Azure Works with Red Canary.
Finally, Red Canary integrates with Azure to scan your environment regularly to discover new subscriptions and resources. This integration is established via access policy and enables Red Canary to read your Azure environment. This policy does not allow write access. The policies used can be found in this publicly hosted Bicep file used during integration onboarding.
Note: You may experience a potential increase in Azure costs depending on the volume of new logs exported to your Log Analytics workspace as part of the MDR for Azure integration.
Affected Logs: Log Analytics Workspace, Log Analytics Data Export, Platform Logs (Storage Diagnostic Settings)
For more information, see Pricing - Azure Monitor